State of the cyber talent market

About the Author

Matt Comyns is managing partner of the rm’s Cyber Security Practice. His focus is on recruiting chief information security of cers and next-level-down top lieutenants in information security for large global corporations and fast-growing private companies, as well as cyber security consultants for leading professional services rms and top executives for cyber security technology companies.

Matt has been on the ground since hacking and cybercrime started showing up on the radar of major corporations, and has successfully recruited more than 100 high-ranking executives in this burgeoning space.

Overview

It has been a little over three years since the Target breach—the watershed moment when cyber security changed overnight from an issue that lived in the murky realm of I suppose it’s a concern, but there are more pressing matters, to an issue at the top of the priority list for companies and industries across the board.

I feel fortunate to have had a front row seat as the aftermath of that event has unfolded. I worked on my rst CISO search approximately six years ago, and have since worked on more than 100 cyber security-related executive searches and talked with hundreds of other companies about their cyber programs and human capital challenges.

Cyber programs certainly existed “pre-Target,” however, the dialogue and environment changed dramatically after the Target breach and the infamous Sony incident a year later.

Outside of government, defense contractors, nancial services, technology, and telecom, there was not a lot of investment in cyber. As other industries (energy, consumer, manufacturing, retail, health care, etc.) began to “get religion” on the topic, we started to see the kind of supply and demand disconnect that can best be likened to Dutch Tulip Bulb mania or 1999 Dotcom Bubble hype.

In 2016, even the most dutiful of cyber executives lost their way in the face of multiple and increasingly lucrative job opportunities. It was a psychology study in bad human behavior—particularly troubling since these are the people we are relying on to protect us!

In these cyber execs’ defense, they saw life-changing offers and no end in sight on the demand side. It is easy for them to justify their decisions, because there will seemingly always be another company out there willing to overlook any perceived bad judement. They’re sort of right. The US and the rest of the world are nowhere near maturity in the development of their cyber programs, and it will be quite a few years before the market normalizes.

Cyber programs certainly existed “pre-target,” however, the dialogue and environment changed dramatically after the target breach and the infamous sony incident a year later.

So now what?

I am sympathetic to companies that are committed to hiring top talent and building leading cyber security programs in this overly in ated market—I have watched many executives and talent teams do EVERYTHING right and still
get disappointed.